CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 1CVE-2021-30158 – Gentoo Linux Security Advisory 202107-40
https://notcve.org/view.php?id=CVE-2021-30158
06 Apr 2021 — An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been compromised, and yet is not able to block any potential future use of the token by an unauthorized party. Se detectó un problema en MediaWiki versiones anteriores a 1.31.12 y versiones 1.32.x hasta 1.35.x anteriores a 1.35.2. Los usua... • https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html • CWE-287: Improper Authentication •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-29004
https://notcve.org/view.php?id=CVE-2020-29004
29 Jan 2021 — The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack. La API en la extensión Push para MediaWiki versiones hasta 1.35, no requería un token de edición en el archivo ApiPushBase.php y, por lo tanto, facilitó un ataque de tipo CSRF • https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Push/+/625988 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-29005
https://notcve.org/view.php?id=CVE-2020-29005
29 Jan 2021 — The API in the Push extension for MediaWiki through 1.35 used cleartext for ApiPush credentials, allowing for potential information disclosure. La API en la extensión Push para MediaWiki versiones hasta 1.35, usa texto sin cifrar para las credenciales de ApiPush, permitiendo una potencial divulgación de información • https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Push/+/625988 • CWE-319: Cleartext Transmission of Sensitive Information CWE-522: Insufficiently Protected Credentials •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-35622
https://notcve.org/view.php?id=CVE-2020-35622
21 Dec 2020 — An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1. SpecialGlobalUsage.php calls WikiMap::makeForeignLink unsafely. The $page variable within the formatItem function was not being properly escaped, allowing for XSS under certain conditions. Se detectó un problema en la extensión GlobalUsage para MediaWiki versiones hasta 1.35.1. El archivo SpecialGlobalUsage.php llama a la función WikiMap::makeForeignLink de forma no segura. • https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GlobalUsage/+/646744 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-35623
https://notcve.org/view.php?id=CVE-2020-35623
21 Dec 2020 — An issue was discovered in the CasAuth extension for MediaWiki through 1.35.1. Due to improper username validation, it allowed user impersonation with trivial manipulations of certain characters within a given username. An ordinary user may be able to login as a "bureaucrat user" who has a similar username, as demonstrated by usernames that differ only in (1) bidirectional override symbols or (2) blank space. Se detectó un problema en la extensión CasAuth para MediaWiki versiones hasta 1.35.1. Debido a... • https://github.com/CWRUChielLab/CASAuth/pull/11 • CWE-20: Improper Input Validation CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-35624
https://notcve.org/view.php?id=CVE-2020-35624
21 Dec 2020 — An issue was discovered in the SecurePoll extension for MediaWiki through 1.35.1. The non-admin vote list contains a full vote timestamp, which may provide unintended clues about how a voting process unfolded. Se detectó un problema en la extensión SecurePoll para MediaWiki versiones hasta 1.35.1. La lista de votos non-admin contiene una marca de tiempo de votación completa, que puede proporcionar pistas no deseadas sobre cómo se desarrolló un proceso de votación • https://gerrit.wikimedia.org/r/q/If8e15eb8ce9ec652c06816cbff52bb084fd50e73 • CWE-203: Observable Discrepancy •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-35625
https://notcve.org/view.php?id=CVE-2020-35625
21 Dec 2020 — An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within any class (defined within PHP or MediaWiki) via a crafted HTML comment, related to a Smarty template. For example, a person in the Widget Editors group could use \MediaWiki\Shell\Shell::command within a comment. Se detectó un problema en la extensión Widgets para MediaWiki versiones hasta 1.35.1. Cualquier usuario con l... • https://gerrit.wikimedia.org/r/q/Ic899a8b15bc510e61cdacb5c024af2d226a2dbeb • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-35626
https://notcve.org/view.php?id=CVE-2020-35626
21 Dec 2020 — An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks against onSkinAddFooterLinks in PushToWatch.php. Se detectó un problema en la extensión PushToWatch para MediaWiki versiones hasta 1.35.1. El formulario principal no implementó un token anti-CSRF y, por lo tanto, era completamente vulnerable a los ataques de tipo CSRF contra la función onSkinAddFooterLinks en el ... • https://gerrit.wikimedia.org/r/q/14dc79b1f44c2a1ca6b1192284206c7b8626fb57 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2020-35480 – Debian Security Advisory 4816-1
https://notcve.org/view.php?id=CVE-2020-35480
18 Dec 2020 — An issue was discovered in MediaWiki before 1.35.1. Missing users (accounts that don't exist) and hidden users (accounts that have been explicitly hidden due to being abusive, or similar) that the viewer cannot see are handled differently, exposing sensitive information about the hidden status to unprivileged viewers. This exists on various code paths. Se detectó un problema en MediaWiki versiones anteriores a 1.35.1. Una falta de usuarios (cuentas que no existen) y usuarios ocultos (cuentas que se han... • https://lists.debian.org/debian-lts-announce/2020/12/msg00034.html • CWE-203: Observable Discrepancy •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 1CVE-2020-35477 – Debian Security Advisory 4816-1
https://notcve.org/view.php?id=CVE-2020-35477
18 Dec 2020 — MediaWiki before 1.35.1 blocks legitimate attempts to hide log entries in some situations. If one sets MediaWiki:Mainpage to Special:MyLanguage/Main Page, visits a log entry on Special:Log, and toggles the "Change visibility of selected log entries" checkbox (or a tags checkbox) next to it, there is a redirection to the main page's action=historysubmit (instead of the desired behavior in which a revision-deletion form appears). MediaWiki versiones anteriores a 1.35.1, bloquea los intentos legítimos de ocult... • https://lists.debian.org/debian-lts-announce/2020/12/msg00034.html • CWE-670: Always-Incorrect Control Flow Implementation •